WIP: Adds code signing

waldekmastykarz · waldekmastykarz · commit 8ef18a6cc03f · 2025-04-03T10:57:31.000+02:00
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -61,6 +61,30 @@ jobs:
           Get-ChildItem -Filter *.deps.json -Recurse | Remove-Item
           Get-ChildItem -Filter *.runtimeconfig.json -Recurse | Remove-Item
           popd
+      - name: Install Sign CLI tool
+        working-directory: ./${{ env.release }}
+        run: dotnet tool install --tool-path . sign --version 0.9.1-beta.25181.2
+      - name: Azure CLI Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.DOTNET_APPLICATION_ID }}
+          tenant-id: ${{ secrets.DOTNET_TENANT_ID }}
+          subscription-id: ${{ secrets.DOTNET_SUBSCRIPTION_ID }}
+      - name: Sign binaries
+        working-directory: ./${{ env.release }}
+        shell: pwsh
+        run: >
+          ./sign code azure-key-vault
+          **/devproxy*
+          --publisher-name "Dev Proxy"
+          --description "Simulate API failures, throttling, and chaos - all from your command line."
+          --description-url "https://aka.ms/devproxy"
+          --azure-key-vault-tenant-id "${{ secrets.DOTNET_TENANT_ID }}"
+          --azure-key-vault-client-id "${{ secrets.DOTNET_APPLICATION_ID }}"
+          --azure-key-vault-certificate "${{ secrets.DOTNET_CERTIFICATE_NAME }}"
+          --azure-key-vault-url "${{ secrets.DOTNET_VAULT_URL }}"
+          --timestamp-url http://timestamp.digicert.com
+          --verbosity Debug
       - name: Archive release ${{ env.release }}
         uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # master
         with:
@@ -74,6 +98,22 @@ jobs:
         with:
           name: binaries-${{ env.release }}
           path: ./${{ env.release }}.zip
+      - name: Sign abstractions
+        if: matrix.architecture == 'win-x64'
+        working-directory: ./${{ env.release }}
+        shell: pwsh
+        run: >
+          ./sign code azure-key-vault
+          ./dev-proxy-abstractions/bin/Release/net9.0/devproxy*.dll
+          --publisher-name "Dev Proxy"
+          --description "Simulate API failures, throttling, and chaos - all from your command line."
+          --description-url "https://aka.ms/devproxy"
+          --azure-key-vault-tenant-id "${{ secrets.DOTNET_TENANT_ID }}"
+          --azure-key-vault-client-id "${{ secrets.DOTNET_APPLICATION_ID }}"
+          --azure-key-vault-certificate "${{ secrets.DOTNET_CERTIFICATE_NAME }}"
+          --azure-key-vault-url "${{ secrets.DOTNET_VAULT_URL }}"
+          --timestamp-url http://timestamp.digicert.com
+          --verbosity Debug
       - name: Archive abstractions
         if: matrix.architecture == 'win-x64'
         uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # master
@@ -114,8 +154,24 @@ jobs:
         run: cp ./${{ steps.installer.outputs.filename }} ./${{ env.release }}
       - name: Build Installer
         if: contains(matrix.architecture, 'win-')
-        run: ISCC.exe ${{ steps.installer.outputs.filename }} /F"dev-proxy-installer-${{ matrix.architecture }}-${{ github.ref_name }}"
+        run: ISCC.exe ${{ steps.installer.outputs.filename }} /F"dev-proxy-installer-${{ matrix.architecture }}-${{ github.ref_name }}" 
+        working-directory: ./${{ env.release }}
+      - name: Sign installer
+        if: contains(matrix.architecture, 'win-')
         working-directory: ./${{ env.release }}
+        shell: pwsh
+        run: >
+          ./sign code azure-key-vault
+          ./dev-proxy-installer-*.exe
+          --publisher-name "Dev Proxy"
+          --description "Simulate API failures, throttling, and chaos - all from your command line."
+          --description-url "https://aka.ms/devproxy"
+          --azure-key-vault-tenant-id "${{ secrets.DOTNET_TENANT_ID }}"
+          --azure-key-vault-client-id "${{ secrets.DOTNET_APPLICATION_ID }}"
+          --azure-key-vault-certificate "${{ secrets.DOTNET_CERTIFICATE_NAME }}"
+          --azure-key-vault-url "${{ secrets.DOTNET_VAULT_URL }}"
+          --timestamp-url http://timestamp.digicert.com
+          --verbosity Debug
       - name: Upload Installer
         if: contains(matrix.architecture, 'win-')
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -151,77 +207,77 @@ jobs:
           args: |
               output/binaries-*/*.zip
               output/installer-*/*.exe
-  deploy_docker:
-    name: Publish Docker image
-    runs-on: ubuntu-latest
-    needs: [create_release]
-    permissions:
-      contents: read
-      packages: write
-      attestations: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      # Required for multi-platform images
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      # Required for multi-platform images
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-        with:
-          driver-opts: image=moby/buildkit:latest
-      - name: Log in to the Container registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ !contains(github.ref_name, '-beta') }}
-            type=raw,value=beta,enable=${{ contains(github.ref_name, '-beta') }}
-          labels: |
-            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
-          annotations: |
-            org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
-      - name: Build and push Docker image
-        if: "!contains(github.ref_name, '-beta')"
-        id: push
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            DEVPROXY_VERSION=${{ steps.meta.outputs.version }}
-      - name: Build and push beta Docker image
-        if: contains(github.ref_name, '-beta')
-        id: push_beta
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        with:
-          context: .
-          file: ./Dockerfile_beta
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            DEVPROXY_VERSION=${{ steps.meta.outputs.version }}
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
-        with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest || steps.push_beta.outputs.digest }}
-          push-to-registry: true
+  # deploy_docker:
+  #   name: Publish Docker image
+  #   runs-on: ubuntu-latest
+  #   needs: [create_release]
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #     attestations: write
+  #     id-token: write
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #     # Required for multi-platform images
+  #     - name: Set up QEMU
+  #       uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+  #     # Required for multi-platform images
+  #     - name: Set up Docker Buildx
+  #       uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+  #       with:
+  #         driver-opts: image=moby/buildkit:latest
+  #     - name: Log in to the Container registry
+  #       uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+  #       with:
+  #         registry: ${{ env.REGISTRY }}
+  #         username: ${{ github.actor }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Extract metadata (tags, labels) for Docker
+  #       id: meta
+  #       uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+  #       with:
+  #         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+  #         flavor: |
+  #           latest=false
+  #         tags: |
+  #           type=semver,pattern={{version}}
+  #           type=raw,value=latest,enable=${{ !contains(github.ref_name, '-beta') }}
+  #           type=raw,value=beta,enable=${{ contains(github.ref_name, '-beta') }}
+  #         labels: |
+  #           org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
+  #         annotations: |
+  #           org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
+  #     - name: Build and push Docker image
+  #       if: "!contains(github.ref_name, '-beta')"
+  #       id: push
+  #       uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+  #       with:
+  #         context: .
+  #         push: true
+  #         tags: ${{ steps.meta.outputs.tags }}
+  #         labels: ${{ steps.meta.outputs.labels }}
+  #         annotations: ${{ steps.meta.outputs.annotations }}
+  #         platforms: linux/amd64,linux/arm64
+  #         build-args: |
+  #           DEVPROXY_VERSION=${{ steps.meta.outputs.version }}
+  #     - name: Build and push beta Docker image
+  #       if: contains(github.ref_name, '-beta')
+  #       id: push_beta
+  #       uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+  #       with:
+  #         context: .
+  #         file: ./Dockerfile_beta
+  #         push: true
+  #         tags: ${{ steps.meta.outputs.tags }}
+  #         labels: ${{ steps.meta.outputs.labels }}
+  #         annotations: ${{ steps.meta.outputs.annotations }}
+  #         platforms: linux/amd64,linux/arm64
+  #         build-args: |
+  #           DEVPROXY_VERSION=${{ steps.meta.outputs.version }}
+  #     - name: Generate artifact attestation
+  #       uses: actions/attest-build-provenance@v2
+  #       with:
+  #         subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+  #         subject-digest: ${{ steps.push.outputs.digest || steps.push_beta.outputs.digest }}
+  #         push-to-registry: true
